From 3b2376b47a9f1fc7dfd138d4ecc70e5d8897dc2b Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Thu, 13 Jul 2017 12:14:20 -0400

Subject: [PATCH] Prevent KDC unset status assertion failures

Assign status values if S4U2Self padata fails to decode, if an

S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request

uses an evidence ticket which does not match the canonicalized request

server principal name.  Reported by Samuel Cabrero.

If a status value is not assigned during KDC processing, default to

"UNKNOWN_REASON" rather than failing an assertion.  This change will

prevent future denial of service bugs due to similar mistakes, and

will allow us to omit assigning status values for unlikely errors such

as small memory allocation failures.

CVE-2017-11368:

In MIT krb5 1.7 and later, an authenticated attacker can cause an

assertion failure in krb5kdc by sending an invalid S4U2Self or

S4U2Proxy request.

  CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

ticket: 8599 (new)

target_version: 1.15-next

target_version: 1.14-next

tags: pullup

(cherry picked from commit ffb35baac6981f9e8914f8f3bffd37f284b85970)

---

 src/kdc/do_as_req.c  |  4 ++--

 src/kdc/do_tgs_req.c |  3 ++-

 src/kdc/kdc_util.c   | 10 ++++++++--

 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c

index 241b05b40..f5cf8ad89 100644

--- a/src/kdc/do_as_req.c

+++ b/src/kdc/do_as_req.c

@@ -372,8 +372,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)

     did_log = 1;

 egress:

-    if (errcode != 0)

-        assert (state->status != 0);

+    if (errcode != 0 && state->status == NULL)

+        state->status = "UNKNOWN_REASON";

     au_state->status = state->status;

     au_state->reply = &state->reply;

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c

index 4c722a4a3..0009a9319 100644

--- a/src/kdc/do_tgs_req.c

+++ b/src/kdc/do_tgs_req.c

@@ -829,7 +829,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,

     free(reply.enc_part.ciphertext.data);

 cleanup:

-    assert(status != NULL);

+    if (status == NULL)

+        status = "UNKNOWN_REASON";

     if (reply_key)

         krb5_free_keyblock(kdc_context, reply_key);

     if (errcode)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c

index 8cbdf2c5b..5455e2a67 100644

--- a/src/kdc/kdc_util.c

+++ b/src/kdc/kdc_util.c

@@ -1213,8 +1213,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,

     req_data.data = (char *)pa_data->contents;

     code = decode_krb5_pa_for_user(&req_data, &for_user);

-    if (code)

+    if (code) {

+        *status = "DECODE_PA_FOR_USER";

         return code;

+    }

     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);

     if (code) {

@@ -1313,8 +1315,10 @@ kdc_process_s4u_x509_user(krb5_context context,

     req_data.data = (char *)pa_data->contents;

     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);

-    if (code)

+    if (code) {

+        *status = "DECODE_PA_S4U_X509_USER";

         return code;

+    }

     code = verify_s4u_x509_user_checksum(context,

                                          tgs_subkey ? tgs_subkey :

@@ -1617,6 +1621,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,

      * that is validated previously in validate_tgs_request().

      */

     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {

+        *status = "INVALID_S4U2PROXY_OPTIONS";

         return KRB5KDC_ERR_BADOPTION;

     }

@@ -1624,6 +1629,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,

     if (!krb5_principal_compare(kdc_context,

                                 server->princ, /* after canon */

                                 server_princ)) {

+        *status = "EVIDENCE_TICKET_MISMATCH";

         return KRB5KDC_ERR_SERVER_NOMATCH;

     }